Setting up cloud access permissions
To grant a user access to cloud resources, assign the user a role for the cloud.
Assigning a role for a cloud
- In the management console
, select a cloud. - Go to the Access bindings tab.
- Click Configure access.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
Add role and select the role from the list or use the search bar. - Click Save.
-
View a description of the command to assign a role for a cloud:
yc resource-manager cloud add-access-binding --help
-
Get a list of available clouds:
yc resource-manager cloud list
Result:
+----------------------+----------+ | ID | NAME | +----------------------+----------+ | b1gg8sgd16g7******** | my-cloud | +----------------------+----------+
-
Get a list of available roles:
yc iam role list
Result:
+--------------------------------+-------------+ | ID | DESCRIPTION | +--------------------------------+-------------+ | admin | | | compute.images.user | | | editor | | | ... | | +--------------------------------+-------------+
-
Find out the user ID from the login or email address.
yc iam user-account get test-user
Result:
id: gfei8n54hmfh******** yandex_passport_user_account: login: test-user default_email: test-user@yandex.ru
-
Assign the
editor
role for themy-cloud
cloud totest-user
. In the subject, specify theuserAccount
type and user ID:yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject userAccount:<user_ID>
To assign a role to a service account, user group, or system group instead of a user, see these examples.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Describe the cloud access permission parameters in the configuration file:
cloud_id
: Cloud ID. You can get a list of available clouds using the CLI command:yc resource-manager cloud list
.role
: Role to assign. You can get a list of roles using the CLI command:yc iam role list
. In oneyandex_resourcemanager_cloud_iam_member
resource, only one role can be assigned.member
: User or group to assign the role to. Eachyandex_resourcemanager_cloud_iam_member
resource may have one of the following values:userAccount:<user_ID>
: User ID.serviceAccount:<service_account_ID>
: Service account ID.federatedUser:<federated_account_ID>
: Federated account ID.system:group:organization:<organization_ID>:users
: ID of the organization to assign a role to theAll users in organization X
system group.system:group:federation:<federation_ID>:users
: ID of the identity federation to assign a role to theAll users in federation N
system group.
Here is an example of the configuration file structure:
data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" member = "userAccount:<user_ID>" }
For more information about the
yandex_resourcemanager_cloud_iam_member
resource parameters in Terraform, see the provider documentation . -
In the command line, go to the folder where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.This will assign access permissions for the cloud.
Use the updateAccessBindings REST API method for the Cloud resource or the CloudService/UpdateAccessBindings gRPC API call.
You will need the cloud ID and the ID of the user who is assigned the role for the cloud.
-
Find out the cloud ID using the list REST API method:
curl \ --header "Authorization: Bearer <IAM_token>" \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds
Result:
{ "clouds": [ { "id": "b1gg8sgd16g7********", "createdAt": "2018-09-23T12:14:45Z", "name": "cloud-b1gg8sgd16g7qc" } ] }
-
Find out the user ID by login using the getByLogin REST API method:
curl \ --header "Authorization: Bearer <IAM_token>" \ https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user
Result:
{ "id": "gfei8n54hmfh********", "yandexPassportUserAccount": { "login": "test-user", "defaultEmail": "test-user@yandex.ru" } }
-
Assign the
editor
role for themy-cloud
cloud to the user. In theaction
property, enterADD
and specify theuserAccount
user type and ID undersubject
.curl \ --request POST \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer <IAM_token>" \ --data '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<user_ID>", "type": "userAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings
Assigning multiple roles
- In the management console
, select a cloud. - Click the Access bindings tab.
- Click Assign bindings.
- In the Configure access bindings window, click Select user.
- Select a user from the list or search for a user.
- Click Add role.
- Select a role in the cloud.
- Use the Add role button to add another role.
- Click Save.
The add-access-binding
command allows you to add only one role. You can assign multiple roles using the set-access-binding
command.
Alert
The set-access-binding
method completely rewrites access permissions for the resource! All current resource roles will be deleted.
-
Make sure the resource has no roles assigned that you would not want to lose:
yc resource-manager cloud list-access-binding my-cloud
-
For example, assign a role to multiple users:
yc resource-manager cloud set-access-bindings my-cloud \ --access-binding role=editor,subject=userAccount:<first_user_ID> --access-binding role=viewer,subject=userAccount:<second_user_ID>
To assign a role to a service account, user group, or system group instead of a user, see these examples.
-
Describe the cloud access permission parameters in the configuration file. Assign the
editor
role to one user and theviewer
role to another:data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" member = "userAccount:<first_user_ID>" } resource "yandex_resourcemanager_cloud_iam_member" "viewer" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "viewer" member = "userAccount:<second_user_ID>" }
-
In the command line, go to the folder where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.This will assign access permissions for the cloud.
Assign the editor
role to one user and the viewer
role to another:
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "<first_user_ID>",
"type": "userAccount"
}
}
},{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "<second_user_ID>",
"type": "userAccount"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings
You can also assign roles using the setAccessBindings REST API method for the Cloud resource or the CloudService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings
method completely rewrites access permissions for the resource. All current resource roles will be deleted.
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{
"accessBindings": [{
"roleId": "editor",
"subject": { "id": "<first_user_ID>", "type": "userAccount" }
},{
"roleId": "viewer",
"subject": { "id": "<second_user_ID>", "type": "userAccount" }
}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:setAccessBindings
Cloud access for service accounts
A service account can be assigned roles for any cloud and folder within the organization it belongs to.
Allow the test-sa
service account to manage my-cloud
and its resources:
You assign roles to a service account the same way as to a user account.
To assign a service account a role for a cloud:
- In the management console
, on the left, select a cloud. - Go to the Access bindings tab.
- Click Configure access.
- In the window that opens, select Service accounts.
- Select a service account from the list or use the search.
- Click
Add role and select a role. - Click Save.
-
Find out the ID of the
test-sa
service account you want to assign the role to. To do this, get a list of available service accounts:yc iam service-account list
Result:
+----------------------+----------+------------------+ | ID | NAME | DESCRIPTION | +----------------------+----------+------------------+ | ajebqtreob2d******** | test-sa | test-description | +----------------------+----------+------------------+
-
Assign the
editor
role to thetest-sa
service account by specifying its ID. In the subject type, specifyserviceAccount
:yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject serviceAccount:<service_account_ID>
-
Assign the
editor
role to the service account:data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" member = "serviceAccount:<service_account_ID>" }
-
In the command line, go to the folder where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.This will assign access permissions for the cloud.
-
Find out the ID of the
test-sa
service account you want to assign the role to. To do this, get a list of available service accounts:curl \ --header "Authorization: Bearer <IAM_token>" \ https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yys********
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "test-sa", "description": "test-description" } ] }
-
Assign the
editor
role formy-cloud
to thetest-sa
service account. In thesubject
property, specify theserviceAccount
type andtest-sa
ID. In the request URL, specify themy-cloud
ID as the resource:curl \ --request POST \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer <IAM_token>" \ --data '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<service_account_ID>", "type": "serviceAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings